> -----Original Message----- > From: Zeng, Star > Sent: Friday, November 16, 2018 11:14 AM > To: Wu, Hao A; [email protected] > Cc: Laszlo Ersek; Yao, Jiewen; Zeng, Star > Subject: Re: [edk2] [PATCH v1 1/2] MdeModulePkg/SmmCorePerfLib: [CVE- > 2017-5753] Fix bounds check bypass > > On 2018/11/16 9:37, Hao Wu wrote: > > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194 > > > > Speculative execution is used by processor to avoid having to wait for > > data to arrive from memory, or for previous operations to finish, the > > processor may speculate as to what will be executed. > > > > If the speculation is incorrect, the speculatively executed instructions > > might leave hints such as which memory locations have been brought into > > cache. Malicious actors can use the bounds check bypass method (code > > gadgets with controlled external inputs) to infer data values that have > > been used in speculative operations to reveal secrets which should not > > otherwise be accessed. > > > > This commit will focus on the SMI handler(s) registered within the > > TBD. > > What does the 'TBD' mean here?
Sorry. Patch was generated on the wrong commit, I will send a V2 of the series to address this. Best Regards, Hao Wu > > Thanks, > Star > > > > > Hence, this commit adds a AsmLfence() after the boundary/range checks of > > 'CommBuffer' to prevent the speculative execution. > > > > A more detailed explanation of the purpose of commit is under the > > 'Bounds check bypass mitigation' section of the below link: > > https://software.intel.com/security-software-guidance/insights/host- > firmware-speculative-execution-side-channel-mitigation > > > > And the document at: > > https://software.intel.com/security-software-guidance/api- > app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass- > vulnerabilities.pdf > > > > Cc: Star Zeng <[email protected]> > > Cc: Jiewen Yao <[email protected]> > > Cc: Laszlo Ersek <[email protected]> > > Contributed-under: TianoCore Contribution Agreement 1.1 > > Signed-off-by: Hao Wu <[email protected]> > > --- > > > MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c > | 16 +++++++++++++++- > > 1 file changed, 15 insertions(+), 1 deletion(-) > > > > diff --git > a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib > .c > b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib > .c > > index cd1f1a5d5f..63c1eea3a2 100644 > > --- > a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib > .c > > +++ > b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib > .c > > @@ -16,7 +16,7 @@ > > > > SmmPerformanceHandlerEx(), SmmPerformanceHandler() will receive > untrusted input and do basic validation. > > > > -Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR> > > +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR> > > This program and the accompanying materials > > are licensed and made available under the terms and conditions of the BSD > License > > which accompanies this distribution. The full text of the license may be > found at > > @@ -538,6 +538,13 @@ SmmPerformanceHandlerEx ( > > break; > > } > > > > + // > > + // The AsmLfence() call here is to ensure the previous range/content > > + // checks for the CommBuffer have been completed before calling > > + // CopyMem(). > > + // > > + AsmLfence (); > > + > > GaugeEntryExArray = (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1); > > > > for (Index = 0; Index < NumberOfEntries; Index++) { > > @@ -650,6 +657,13 @@ SmmPerformanceHandler ( > > break; > > } > > > > + // > > + // The AsmLfence() call here is to ensure the previous range/content > > + // checks for the CommBuffer have been completed before calling > > + // CopyMem(). > > + // > > + AsmLfence (); > > + > > GaugeEntryExArray = (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1); > > > > for (Index = 0; Index < NumberOfEntries; Index++) { > > _______________________________________________ edk2-devel mailing list [email protected] https://lists.01.org/mailman/listinfo/edk2-devel
